24 Apr Probing News Media Disinformation On COVID-19; WHOIS PressTV.com?
Investigative exercise illustrates how to map the infrastructure of suspicious websites
– Jonathan Zhang, CEO at Whois XML API
Walnut, Calif. – Apr. 24, 2020
In spite of its tragic health, moral, and economic implications, the COVID-19 pandemic has become a rather lucrative business for cybercriminals. Various scammers have been attempting to trick panicking individuals into divulging their personal details or accessing malware-ridden websites in exchange for what they claim to be valid information.
While that’s disheartening, scams and disinformation are other types of threats that Netizens will have to pay attention to in the next few months. Considering the latter, how widespread could disinformation possibly be?
NewsGuard released an awareness tracker listing down news sites supposedly spreading disinformation about the ensuing pandemic. Like healthcare experts, NewsGuard urges people in search of updates about the virus to only rely on official websites such as that of the World Health Organization (WHO).
We do not intend to judge whether the listed sites are, in fact, spreading inaccurate details about the pandemic (a lot of content consumers may disagree with NewsGuard’s views and list). However, we thought that one’s ability to map out suspected sites’ IT networks may come in handy for a deeper perspective.
So, we decided to review the infrastructure of one of the listed sites — PressTV[.]com — to see what connections could be found.
Is PressTV.com spreading fake news about the novel Coronavirus pandemic?
WhoisXML API takes a look under the hood of this controversial media site
What We Learned from PressTV[.]com’s Infrastructure
For those who may not know, PressTV[.]com is a Tehran-based 24-hour English- and French-language news and documentary site affiliated with the Islamic Republic of Iran Broadcasting (IRIB). IRIB, meanwhile, is a government-owned media corporation founded in 1979 by Reza Ghotbi.
In the past, PressTV has been accused of breaching broadcasting rules (that’s according to Ofcom, U.K.’s communication regulator) and spreading political propaganda. Now, say you want to study the news site more closely and have access to domain intelligence tools like WHOIS Lookup. Here is what you would find looking at PressTV[.] com and irib[.]ir’s WHOIS record:
- The WHOIS record details have been redacted for privacy, something unusual for a news agency. Bloomberg[.]com and foxnews[.]com, in comparison, both have their WHOIS record details public.
- There isn’t much information in common between PressTV[.]com and irib[.]ir’s WHOIS records. The latter has a publicly viewable WHOIS record with “islamic republic of iran broadcasting” appearing as the registrant organization.
Let’s now consider the WHOIS records of three domains — PressTV[.]ir, PressTV[.]co[.]uk, PressTV[.]tv — which, according to PressTV[.]com, also host its published content.
- A WHOIS Lookup query for PressTV[.]ir showed different details than those of PressTV[.]com. Actually, the .ir version shows the same information as that obtained earlier for irib[.]ir. When we tried to access PressTV[.]ir, however, we were redirected to PressTV[.]com automatically, so these two domains are indeed connected.
- Meanwhile, our WHOIS Lookup query for PressTV[.]co[.]uk returned incomplete data, most likely because it was taken down.
- The WHOIS Lookup query for PressTV[.]tv showed a privacy-protected WHOIS record as well. Interestingly, when we tried accessing the site, we found that Google Safe Browsing blocked it for potential phishing.
Still relying on domain intelligence tools, what are other ways to find domain names with close ties to a site of interest? By querying “presstv.com” in Reverse WHOIS Search, we found that the following domain names have the search term contained in their WHOIS records:
- hdmiran[.]ir
- iroonijat[.]ir
- presstv[.]vg
- q4t[.]tv
- shop-presstv[.]com
Also, given PressTV[.]com’s name server ns1[.]presstv[.]ir (which we identified in our earlier WHOIS lookup query), we were able to obtain 23 more domains via Reverse NS Lookup:
- hispan[.]net
- hispan[.]org
- hispantv[.]com
- hispantv[.]net
- hispantv[.]org
- hispantv[.]ir
- hausatv[.]com
- htv[.]mx
- hdmiran[.]ir
- iktv[.]ir
- ifilmtv[.]ir
- ifilm[.]ir
- ifilmtv[.]com
- iranhdm[.]ir
- irankalatv[.]ir
- motv[.]ir
- presstvdoc[.]org
- ptv[.]io
- presstvdoc[.]com
- presstvdoc[.]net
- q4t[.]tv
- hispan[.]tv
- radmedia[.]com
It’s possible to run follow-up WHOIS, reverse WHOIS, and reverse NS lookups on each of these domains to further map out PressTV’s IT infrastructure though doing so goes beyond the intent of this post. From what we can see above, the identified sites show that the news entity has a rather comprehensive network under the hood — with notable interest in Spanish-speaking communities as domain names like hispantv[.]com and hispantv[.]net tend to demonstrate.
Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth
Former White House CIO Theresa Payton’s new book
“Cybersecurity professionals should be versed in the criminal practice of typosquatting in order to fully protect their employees and organizations, especially now with the COVID-19 restrictions that have sent millions of workers home,” says Steve Morgan, founder of Cybersecurity Ventures and editor-in-chief at Cybercrime Magazine. “Cyber Fighters are inundated with a multitude of threats and will sometimes overlook the proactive measures they can take around the growing universe of malicious domains.”
Experts warned that coronavirus misinformation is dangerous, and so paying attention to facts from reliable sources is essential. While this post doesn’t intend to corroborate NewsGuard’s perspective on sites listed as potential spreaders of misinformation, our investigative exercise illustrates how one can go about mapping the infrastructure of suspicious sites.
Disinformation on the Internet, and related cybercrime, is rampant in the U.S.
“The public should be aware of a practice of promoting ‘gray news’ or what I refer to as ‘news or information laundering.’ Much like money laundering, a story with truths and then opinions or claims plant misinformation in the right places so that it gets picked up by other countries’ media — including our own. It’s hard to retrace it back to the original source without studying the digital tracks,” says former White House CIO and cybersecurity expert Theresa Payton.
“Gray market services or information laundering are built for both commercial or nonprofit purpose, many have good intentions and by the way, considered legal to deploy,” adds Payton, author of the book Manipulated. “In the hands of bad-faith actors, this tactic can, unfortunately, promote misinformation, propaganda, and manipulation campaigns. It just takes a few legitimate news accounts or social media accounts to repost and amplify the campaign.”
– Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API Inc. family, a trusted intelligence vendor by over 50,000 clients.
Sponsored by Whois XML API
Precise and exhaustive data is vital for cyber-security professionals to analyze and prevent cyber crime. Whois XML API offers a comprehensive collection of domain, WHOIS, DNS and threat intelligence data feeds that are essential to their work. It’s an exhaustive Cyber-security package that offers a maximum coverage of both real-time and historic data, complete with instruments for threat hunting, threat defense, cyber forensic analysis, fraud detection, brand protection, data intelligence enrichment across variety of SIEM, Orchestration, Automation and Threat Intelligence Platforms.